Key findings¶
Four observations from 3,508 sessions that reveal patterns invisible to traditional honeypots.
1. Kinsing botnet evasion technique¶
148 sessions used the path /bin/./uname instead of /usr/bin/uname.
This dot-slash trick is a signature of the Kinsing cryptomining botnet. The path /bin/./uname resolves to the same binary as /bin/uname, but many honeypots and simple command-matching systems fail to normalize it — they don't recognize it as the same command.
HYDRA's cmd_router normalizes paths before processing, so every Kinsing session was captured and responded to correctly. A traditional honeypot with static command matching would either return an error or produce inconsistent output — immediately revealing itself.
Defensive takeaway
Log normalization is critical. If your SIEM matches on exact command strings, /bin/./uname bypasses your detection rules while /bin/uname triggers them. Normalize paths before matching.
Offensive takeaway
Path obfuscation remains effective against signature-based detection. The dot-slash trick is trivial but widely unhandled.
2. Solana node targeting¶
303 login attempts used the usernames sol (213) and solana (90).
These aren't random credentials — they indicate scanners specifically designed to find Solana validator nodes. The solana username is the default for the Solana CLI tools, and sol is a common abbreviation used in validator setup scripts.
The crypto_validator persona was designed to attract exactly this type of scanner, and the data confirms it works. Sessions that authenticate with these credentials tend to immediately look for keypair files and wallet configurations.
Defensive takeaway
If you run Solana infrastructure, monitor for SSH brute-force attempts targeting crypto-specific usernames. The sol/solana pattern is a strong indicator of targeted scanning.
3. Test credential propagation¶
Gr1zzly!Pr0d_2026 — an internal test password — became the 3rd most tried password with 82 attempts.
This password was used by the automated audit tool during testing. Within days of the honeypot going live, it appeared in brute-force wordlists being used by external scanners.
This demonstrates how quickly operational credentials propagate into attack tooling. A password used once in a test environment, visible in authentication logs, can enter the global brute-force ecosystem within days.
Defensive takeaway
Never reuse test credentials in production environments, even temporarily. Credential leakage into brute-force wordlists is faster than most teams assume. Rotate immediately after testing.
4. Persona effectiveness varies dramatically¶
| Persona | Avg commands | Avg duration | Engagement factor |
|---|---|---|---|
| fintech_trading | 1,349 | 94s | 2.4× baseline |
| crypto_validator | 643 | 148s | 1.2× baseline |
| corp_ad | 555 | 86s | 1.0× baseline |
The fintech persona generates 2.4 times more interaction than corp_ad. The AWS credentials, trading API configuration files, and PostgreSQL databases in the fintech persona create a much larger exploration surface.
Interestingly, crypto_validator has the longest average duration (148s) despite fewer commands — attackers spend more time reading keypair files and checking simulated balances.
Defensive takeaway
When designing deception environments, financial-sector simulations attract the deepest engagement. Cloud credentials (AWS keys) are the single most effective lure.
For the paper
This finding supports the hypothesis that persona design significantly impacts honeypot data quality. The DPO training format is specifically designed to learn from these engagement differences.